<div dir="ltr"><a href="https://www.engadget.com/2017/10/11/t-mobile-website-flaw-social-engineering-hacks/">https://www.engadget.com/2017/10/11/t-mobile-website-flaw-social-engineering-hacks/</a><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br></div></div><div dir="ltr"><div class="gmail-o-article_block gmail-pb-15 gmail-pb-5@m- gmail-o-subtle_divider">
<div class="gmail-grid@tl+">
<div class="gmail-grid@tl+__cell gmail-col-8-of-12@tl+">
<div class="gmail-article-text gmail-c-gray-1">
<p>Up until last week, a <a href="https://www.engadget.com/2017/10/02/t-mobile-pulls-advertisement-claiming-fastest-network/">T-Mobile</a>
website had a serious security hole that let hackers access user's
email addresses, accounts and a phone's IMSI network code, according to a
report from <a href="https://motherboard.vice.com/en_us/article/wjx3e4/t-mobile-website-allowed-hackers-to-access-your-account-data-with-just-your-phone-number"><em>Motherboard</em></a>.
Attackers only needed your phone number to obtain the information,
which could be used in social engineering attacks to commandeer your
line, or worse.</p>
</div>
</div>
</div>
</div>
<div class="gmail-js-notMobileReferredByFbTw">
<div class="gmail-o-article_block gmail-pb-15 gmail-pb-5@m- gmail-mt-n35 gmail-mt-n25@m gmail-mt-n15@s">
<div class="gmail-grid@tl+">
<div class="gmail-full-width@tp- gmail-grid@tl+__cell gmail-col-8-of-12@tl+">
<div class="gmail-article-text gmail-c-gray-1 gmail-no-review">
<p>The security research who discovered the hole, Karan Saini from
startup Secure7, notes that anyone could have run a script to scrape the
data of all 76 million T-Mobile users and create a searchable database.
"That would effectively be classified as a very critical data breach,
making every T-mobile cell phone owner a victim," he told <em>Motherboard.</em></p><p>T-Mobile
said in a statement that "we were alerted to an issue that we
investigated and fully resolved in less than 24 hours. There is no
indication that it was shared more broadly." Saini notes that T-Mobile
offered him a $1,000 reward as part of its bug bounty program.</p><p>However, an anonymous hacker disputes T-Mobile's claim that the bug wasn't shared broadly, telling <em>Motherboard</em>
that "a bunch of SIM swapping kids had [the hack] and used it for quite
a while." They could have exploited the data to "socially engineer," or
basically con, T-Mobile technicians into handing over replacement SIMs
by pretending they're the owners of the line. <em>Motherboard</em> also discovered a <a href="https://www.youtube.com/watch?v=3_gd3a077RU">YouTube video</a> dated August 6th that describes exactly how to execute the hack.</p><p>In fact, this is <a href="https://techcrunch.com/2017/08/23/i-was-hacked/">exactly what happened</a> to <em>Techcrunch</em>
writer John Biggs on August 22nd. After impersonating him and obtaining
a replacement for his T-Mobile SIM, a hacker was able to quickly change
his Gmail, Facebook, and other passwords, even though they were
protected by two-factor SMS authentication.</p><p>It's impossible to say
whether the security hole helped the hackers swindle hapless T-Mobile
tech support employees into sending them replacement SIMs, but it
certainly appears plausible. (Tech support folks are supposed to require
security question responses, invoices and other information, but often
hand over SIMs to smooth-talking hackers without it.) We've reached out
to T-Mobile and the FCC to find out if there was an uptick in such
attacks over the last few months.</p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>